[Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?

Dmitri Pal dpal at redhat.com
Tue Feb 14 19:43:56 UTC 2012 

I hit reply instead of reply all again. Sorry. Adding the list back.

On 02/14/2012 02:43 PM, Dmitri Pal wrote:
> On 02/13/2012 12:43 PM, Marco Pizzoli wrote:
>> Hi Adam,
>>
>> On Mon, Feb 13, 2012 at 5:58 PM, Adam Young <ayoung at redhat.com
>> <mailto:ayoung at redhat.com>> wrote:
>>
>>     On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
>>>     Hi,
>>>     I see DogTag PKI used as a certificate server for the enrollment
>>>     of hosts and services.
>>>     What about the enrollment of normal X509v3 certificates? I have
>>>     not seen, correct me if I'm wrong, any reference to the
>>>     possibility to use it as a regular CA for user certificates. Not
>>>     within FreeIPA, of course.
>>>
>>>     Is there any drawback in using it as the primary CA for the company?
>>
>>     It is a full CA.  You can use it as such.  Dogtag is a vibrant
>>     project in its own right,  and you can find developers on
>>     #dogtag-pki in Freenode.  The install is done via pkisilent,  and
>>     you might want to make sure that you understand the parameters
>>     used to call it.
>>
>>
>> I will. Thanks for the pointer.
>>  
>>
>>     One major drawback is that IPA has disabled Nonces in the Dogtag
>>     backend.  These are there to defend against a CSRF attack.  What
>>     this means is that you should not expose the Dogtag WebUI through
>>     the IPA server,  either on its Dogtag port or via HTTP proxy.  It
>>     should be explicitly stated that IPA implements Nonces for its
>>     web UI, and does not allow session based calls through to the
>>     Dogtag back end,  so its configuration is secure.  The problem is
>>     only exposed if you expose additional web URLs to the Dogtag
>>     backend beyond those specified in the PKI Proxy.
>>
>>     Enabling nonces will break IPA.
>>
>>
>> You told me something I wasn't aware of. I will dig into this during
>> next weeks.
>>  
>>
>>     I've installed and used the standard Java tools for Dogtag and
>>     used them to talk to the PKI backend installed by IPA.  They work
>>     fine.
>>
>>
>> Ok, this is what I hoped to read! :-)
>>
>>     Currently,  IPA acts as a single Agent in Dogtag.   This should
>>     be fine.  For other certificate usage,   you should probably use
>>     a different agent. 
>>
>>
>> Please be patient with me, I don't understand yet the concept of
>> "agent". Even a reference to the documentation would be helpful to me.
>>  
>
>
> "Agent" is client side software that can connect to CA, authenticate
> and has a role to perform specific operations against CA.
>
>>     IPA does not currently support user certificates.  However, 
>>     there are standard LDAP object classes and attributes that you
>>     could conceivably use to record them if you wanted to keep them
>>     in a single DirSrv.  Obviosuly,  you do not want to put the
>>     private keys on the IPA server, so plan accordingly.
>>
>>
>> I will, I promise :-)
>>  
>>
>>     Red Hat does not support using the Certificate Server (PKI)
>>     backend with its Identity management install for purposes other
>>     than support for the IdM (IPA) front end, so beware that you have
>>     no "up sell" if you desire to get paid support for IPA.
>>
>>
>> I understand.
>> I link a question I'm curious of: if I remember correctly, on the
>> PKI-user mailing list I read a user complaining about RH not selling
>> RHCS standalone anymore. Is it true?
>
> It is true to some extent.
> It is sold under special conditions. For more info on RHCS sales
> conditions you need to go via official RH channels.
>
>>
>> You've been very helpful! Your blog too.. :-)
>> Thanks a lot!
>> Marco
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120214/1078a7d4/attachment.htm>

More information about the Freeipa-users mailing list